DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
This article provides a basic explanation of the features and purpose of the federal law, the Health Insurance Portability and Accountability Act of 1996, which goes by the acronym of “HIPAA.”
HIPAA established national standards to protect the privacy and security of individuals' medical records and other individually identifiable health information (“protected health information”). The Department of Health and Human Services (HHS) administers HIPAA through regulations and enforcement actions.
HIPAA contains three regulations that work in tandem to ensure that patients’ protected health information is not used, disclosed, or accessed improperly or without authorization. These regulations include the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule.
The HIPAA Privacy Rule applies to what HIPAA defines as “covered entities.” Under HIPAA, covered entities are health plans, healthcare clearinghouses, and healthcare providers. The Privacy Rule regulates how and when covered entities may use and disclose patient PHI. The Privacy Rule also sets forth a series of patient rights, including a right to request access to PHI, a right to request an accounting of a covered entity’s disclosure of PHI, and the right to file a complaint about a suspected or actual violation of the Privacy Rule.
The HIPAA Security Rule applies to covered entities as well as to what HIPAA refers to as “business associates.” Business associates are entities that create, maintain, receive, and/or transmit PHI for or on behalf of a covered entity. The Security Rule prescribes administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of ePHI, which is PHI that is transmitted in electronic form.
The HIPAA Breach Notification Rule requires covered entities to report, in the form of a notice, certain breaches of protected health information to individuals affected by those breaches. Covered entities must also report these breaches to the Department of Health and Human Services’ Office for Civil Rights (OCR), and, in some instances, to media outlets. Under the Breach Notification Rule, business associates are required to report breaches they have sustained to the covered entities whose PHI has been entrusted to them.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article